WHITE PAPER ON

CYBER SECURITYOPERATION CENTER (CSOC)

THE CHANGING LANDSCAPE

Introduction

1

Thanks to Internet and developments around Internet! The world has changedits data dimensions and has opened up new ways of data communicationgravitating around the Internet highway to build cyber economy. Variety ofdata with varying velocity travels through cyber highway leading to overexposureof organizational data assets.

Cyber adversaries are constantly monitoring information technologyinfrastructure by deploying novel and sophisticated techniques to collectorganizational data, identify organizational weakness, and plan newgeneration attacks to uphold their strategic strengths. The sophistication andadvanced techniques deployed by them are mind boggling and demandsspecial focus.

New generation data exposure has instigated the need for advancedmonitoring capabilities within the organization to validate data flow fromsecurity stand point. Such advanced solutions are designed under theumbrella term 'Cyber Security Operations Center (CSOC)'.

The focus of this white paper is to provide an outline of CSOC, skill matrixrequired, responsibilities of associated security personnel in CSOC, and theassociated big data technology stack as a concept note.

With multi faced threats stalking the data, perfection in security deploymentsis not only impossible but unrealistic. Cyberattacks and intrusions are almostdifficult to prevent given the openness of today's network and the growingsophistication of advanced threat calls for constant and continuous vigilance.

2

Cyber Threat Intelligence

Cyber Intelligence

It is evident that cyber threat landscape is dynamic in nature and has alwaysbeen driven by human adversaries. They are addressed mostly by securitypoint products and point solutions built around signatures, faults, andbehavioral aspects of data flow. Such point solutions lack the ability toaddress the changing threat landscape. Threat intelligence has to be builtwithin the organization to strengthen cyber security.

Cyber Intelligence (CI) is designed to comprehend, characterize, and classifycyber data traffic and its associated risk levels. It is essential to understandthat cyber intelligence enables an organization to equip itself for preventionand recovery. In CI, the spectrum of attacks and associated actions in terms ofdetection and recognition systems coupled with check points to mitigate risksare documented. Thus CI becomes integral to the growth of an organizationand acts as knowledge hub to drive decisions within the organization'sframework. HTC has its own research and development team that works in thisspace to comprehend the dynamics of cyber threat.

Tactics, Techniques, and Procedures (TTP)

Cyber Intelligence is the collective knowledge based on years of experience.The threat actors / agents with associated motive and technical capabilitiesare documented in the form of Tactics, Techniques, and Procedures (TTP). It isa term borrowed from defense and is used to provide increasing level of detailsto cyber adversaries. It is imperative to understand TTP, since it can beleveraged by competent adversaries in exposing organizational data.

Some of the prominent use cases include the analysis and characterization ofsecurity information such as types of attack and actions that have occurredand are likely to occur on their cyber infrastructure, and the ways and means ofdetection with intentions. The use cases also include risks, risk mitigations,differing profiles of threat actors, and their capabilities in the form of tactics,techniques, and procedures (TTP) based on their past performance, studies onvulnerability status, misconfigurations, or weaknesses they are likely to target.

Data intensive firms and national entities have started realizing theirweakness and have privately initiated cyber task forces to strengthen threatintelligence apart from their regular operations. 'Cyber Threat Intelligence'capability is evolving as key ingredient of an organization's defense system.

3

Cyber Security Operations Center (CSOC)

Security is evolving as a critical organizational entity. As a responsible entity, itneeds the right mix of technologies to work together as part of an intelligencedriven security program. However, given the current conditions this is a challenging requirement. To address this challenge, organizations areinvesting in upskilling their work force and strengthening their security interms of advanced solutions and visualizations.

Given this backdrop, it is clear that informatics and data security calls for cybersavvy security specialist to constantly scrutinize the data traffic oforganizations. This new generation scrutiny is nick named 'Cyber SecurityOperations Center (CSOC)'. The new generation CSOC is a culmination ofadvanced and sophisticated knowledge on various facets of cyber data flowwith big data used to tackle the streaming traffic.

Skill Matrix

Building a CSOC can be a difficult task. Although the finer aspects of CSOCdeployment are very much network-specific, there are several componentsthat every deployment will include in terms of people, process, and technology.CSOCs will need to build collaborative teams encompassing skills in cyberforensics, coding and scripting with spectrum of protocols over TCP stack,understanding cyber intelligence, breach management, and penetrationtesting. Baselining tools, skills, and process methodologies in securityoperations is essential to establish solutions to protect organizational criticalinformation assets.

Apart from the technology stack, the associated security personnel areexpected to develop an investigative mindset which is usually a rare skill. Theyare considered as resources who have the capability to visualizeorganization's assets and vulnerabilities through the eyes of adversaries andanticipate attacks.

Cyber decision makers and cyber operations personnel work together toprevent or detect cyber threat activity and investigate and respond to anydetected incidents.

4

The following types of profiles are emerging as guardians of CSOC:

Cyber Security Analyst (CSA)

CSAs are more of operations personnel and are deployed as first line ofdefense to monitor data flow. These analysts witness cyber traffic in its rawform on the super highway. They work on structured and unstructured dataflow on the cyber highways and understand data from a variety of manual orautomated sources.

CSAs address dynamic changes witnessed in the traffic and create first levelof incident tickets which gets pushed to Cyber Threat Analyst (CTA) for furtheranalysis. They play the role of traffic doctors to identify and isolate unusualtraffic through filters built on data distillation designs. These filters areprovided by security experts and are custom-built in the organization. Thesefilters have the capability to filter various traffic insights based onorganizational design constraints.

Cyber Security Operating Center

Cyber Threat Analyst

Cyber Security Analyst Cyber Security Expert

Hadoop Cluster

Analytics Engine

Data C

ollector & C

onsolidatorS.Event

A.Event

T.Event

Log Files

Network Tra�c

Existing Sources�

�

�

AlertsCasesProfiles

Feed Analysis

5

Cyber Threat Analyst (CTA)

CTAs review and classify cyber threats. They understand the nature ofassociated threats, identify them, and characterize them such that threatrelatedactions, behaviors, capabilities, intents, and attributed actors of thethreat are expressed through threat communication standards. They work ontickets created and based on their understanding and characterization ofthreats, they identify relevant threat indicator patterns, suggest courses ofaction to respond to such threats, and share information with other trustedparties.

Cyber Security Expert (CSE)

The CSEs are the knowledge hub of the organization and have clearunderstanding of security threats and various security domains. They work onbig data cyber security platforms to analyze threat indicators and enableorganizations validate and protect digital assets.

They play a critical role in safeguarding assets of the organization. They arefamiliar with machine learning solutions and come up with new variants ofdata distillation designs as preventive measure. Preventive actions may beremedial in nature to mitigate vulnerabilities, weaknesses, ormisconfigurations that may be targets of exploit. After detection andinvestigation of specific incidents, reactive course of actions may be pursued.

6

Cyber Threat Standards

Standards provide a way to exchange information in a common format. Theyare essential to establish control to exchange and discuss security threatsamongst participating agencies. A good start on this direction are the evolvingstandards on Structured Threat Information eXpression (STIX) and relatedareas.

Structured Threat Information eXpression (STIX)

STIX is an excellent collaborative community-driven effort in creating alanguage for threat communications. The language provides common syntaxto define and represent structured cyber threat information which can beexchanged amongst peers. It defines methods for threat specification, threatinformation capture, characterization, and communication. It shares acommon architectural design to unite cyber threat information such as CyberObservables, Indicators, Incidents, Adversary Tactics, Techniques andProcedures, Exploit Targets, Courses of Action, Cyber Attack Campaigns, andCyber Threat Actors.

Trusted Automated Exchange of Indicator Information (TAXII)

TAXII goes with STIX in creating harmony and empowering organizationsachieve improved situational awareness on emerging threats. It definescollections of services and related message exchanges. TAXII whenimplemented, empowers organizations share actionable cyber threatinformation across the cyber world and product / service boundaries. TAXIIwith the help of participating member specifications, defines concepts,protocols, and message exchange formats. It has emerged as the preferredmethod of information exchange.

7

Malware Attack Enumeration and Classification (MAEC)

MAEC is a language standardized for encoding vital malware informationbased on attributes such as behaviors, artifacts, and attack patterns. Thefocus of MAEC is to reduce any reliance on malware signatures. Its primaryfocus is to improve human-to-human, human-to-tool, tool-to-human, and toolto-tool communication on malware information and reduce potentialduplication of malware analysis efforts.

Cyber Observable Expression (CyBOX)

CyBOX is a standardized schema to specify, capture, characterize, andcommunicate security events observed in the operational aspects of security.It provides a common mechanism for addressing cyber observables acrossthe entire range of security use cases to improve consistency, efficiency,interoperability, and overall situational awareness. A wide variety of high-levelcyber security use cases rely on such information including: eventmanagement / logging, malware characterization, intrusion detection,incident response / management, and attack pattern characterization.

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC is a comprehensive dictionary and classification taxonomy of knownattacks and is built around the common concept of attack trees and attackgraphs. It is used by analysts, developers, testers, and educators to spreadcommunity understanding and enhance defenses.

Streaming Data and Analytics

The advent of big data solutions is transforming the security domain and hasemerged as a boon to analyze high velocity cyber traffic nick named as‘streaming traffic’. It has opened up new ways of visualizing traffic flow withassociated analytics.

The sudden surge in development of CSOCs built over big data capabilities hasstarted addressing the needs of security analytics throwing open a completelydifferent perspective to address organizational security.

Cyber security analytic platforms are emerging to address the needs of thefuture. The visibility provided by these big data platforms createunprecedented opportunities to isolate traffic irregularities, uncover evidenceof hidden threats, and impending attacks.

Dynamic data provides rich and more granular view of security incidence. Bigdata enables presentation of threat landscape in high definition as opposed toconventional reduced visibility. Security-related details can be seen in sharperfocus and irregularities can be detected faster. Since security analytics in bigdata platforms have the capability to integrate threat intelligence fromexternal sources (thanks to standards), organizations witness a panoramicthreat landscape to address the needs of cyber security. Enhanced datavisibility leads to enhanced security capabilities.

8

9

Conclusion

The future is centered on CSOC and organizations around the world havestarted exploring ways of establishing CSOC. HTC is a trusted partner in thecyber security operations space. With its team of security consultants havingrich experience, HTC can address the security needs and help establishNetwork, Security, and Cyber Security Operation Centers.

References

• http://maec.mitre.org/• http://cybox.mitre.org/• https://taxii.mitre.org/

About HTC Global Services

HTC Global Services, Inc. (HTC) is a leading global provider of IT Solutions andBusiness Process Outsourcing services. HTC has a strong client base ofGlobal 2000 customers. HTC specializes in innovative and cost effectivesolutions to shorten the time to market, reduce costs and improve businessprocesses. As a midsized IT company with qualified and experiencedprofessionals, HTC is well positioned to provide its customers fast, focused,and emerging IT solutions that maximize return on their IT investments.

Established in 1990, HTC is a US based company with corporate headquartersin Troy, Michigan providing services and solutions at customer locations andat HTC delivery centers located around the world. HTC's process maturity,quality, and information security processes are compliant to SEI CMM Level 5,ISO 9001, ISO 27001, and PCI DSS standards.

8

World Headquarters3270 West Big Beaver RoadTroy, MI 48084, U.S.APhone: 248.786.2500Fax: 248.786.2515www.htcinc.comReaching out… through IT ®

USA UK Germany Ind ia Malays ia S ingapore UAE Aust ra l ia Indones ial lll l l l l